InQuest has just released a new analysis suite for the researcher and hobbyist. Welcome to InQuest Labs!

Our CTO, Pedram Amini, presented Worm Charming: Harvesting Malware Lures for Fun and Profit at Blackhat USA 2019. During this talk, Pedram detailed the harvesting mechanism that drives the DFI portion of InQuest Labs. Capable of ingesting malware at scale, samples are fed through a lightweight and less featured version of Deep File Inspection to extract embedded logic, semantic content, metadata, and IOCs such as URLs, domains, IPs, e-mails, and file names.

Currently, Microsoft and Open Office documents, spreadsheets, and presentations are available for search and download. In the future, we will expand the public data set to include Adobe PDF documents, Java / Flash applets, and scriptlets, such as Powershell. You can search extracted layers and IOCs by keyword. Download samples. Pivot between samples by heuristic detections and IOCs. And more... either interactively through the web interface, or programmatically through our open API. Result sets from the API are limited to 1337 results at a time. Contact us directly if you wish to gain unfettered access.

Some of the capabilities found within InQuest Labs are:

Deep File Inspection (DFI-LITE)

Indicators of Compromise Database (IOC-DB)

Aggregate Reputation Database (REP-DB)

YARA Tools

The InQuest Labs introduction blog highlights some of the capabilities of IOC-DB and REP-DB. Expect follow-on blogs showcasing DFI-LITE and the YARA tools.

Memory Analysis of TrickBot

Posted on 2019-08-26 by Josiah Smith

In this blog, we take a subtle dive into memory analysis using Volatility and the memory analysis methodology. For those unfamiliar with the tool, The Volatility Framework is a completely open collection of tools, implemented in Python for the extraction of digital artifacts from volatile memory (RAM) samples.

YARA For Everyone:Rules will be Rules

Posted on 2019-08-30 by William MacArthur

In our previous article in the series "Sharing is Caring" we did a quick installation of YARA on multiple platforms. We created a rule template and filled out our first rule and tested it against a file that manually was created to find our name within files via an ascii string match.

DetectionLab

Microsoft warns of two new 'wormable' flaws in Windows Remote Desktop Services

These two vulnerabilities are similar to the vulnerability known as BlueKeep (CVE-2019-0708). Microsoft patched BlueKeep in May and warned that attackers could abuse it to create "wormable" attacks that spread from one computer to another without user interaction.

GOOTKIT Banking Trojan | Deep Dive Into AntiAnalysis Features

The Gootkit Banking Trojan was discovered back in 2014, and utilizes the Node.JS library to perform a range of malicious tasks, from website injections and password grabbing, all the way up to video recording and remote VNC capabilities.

Monroe College Hit With Ransomware, $2 Million Demanded

A ransomware attack at New York City's Monroe College has shutdown the college's computer systems at campuses located in Manhattan, New Rochelle and St. Lucia. Reports indicate that the attackers are asking for 170 bitcoins in order to decrypt the entire college's network.